Trojans Replace Windows System Files

When the threat research analysts here at Webroot recently started seeing malware swapping out legitimate components of Windows and replacing them with malware payloads, I couldn’t help but wonder what these malware authors were thinking.

After all, cybercriminals with a lick of sense know very well that messing with system files is dangerous juju. Such an act could, in the right (or should I say wrong) circumstances, render a PC inoperable, or at the very least, bogged down in crashes and instability. And for the authors of phishing malware, it would be incredibly thick-headed to do something to an infected system which might alert the user that something is wrong. After all, when it comes to stealing passwords, flying under the radar is the goal, otherwise the owner of the infected machine might hunt down the problem and remove the Trojan before it has a chance to do its work.

Well, it’s probably a good idea never to underestimate the stupidity of some malware authors. In the past four months, we’ve created new definitions for two phishing Trojans — Trojan-PWS-Mockworthy and Trojan-Phisher-Cassicant — that routinely replace system files with their own malicious payload. Removal is incredibly easy, but generates error messages on the system. That’s just annoying. The best news is, you don’t even need an antivirus product to restore a system file that’s been replaced in this way: A system sweep will remove the malicious components, and a service called Windows File Protection will find the correct system file on your Windows CD and replace it for you. Read on for some step-by-step instructions on just how to do that.

Mockworthy was the first among recent phishing trojans to replace a system file as a matter of course: It swapped out a Windows file called comres.dll for an identically-named payload. Now Cassicant is doing the same thing, but targeting the Windows Language Pack lpk.dll file. In both cases, the replacement file is much smaller than the original file. That makes it easily identifiable. The legitimate comres.dll is around 775KB in size, and lpk.dll is usually around 22KB. The malicious version of comres weighs in between 40KB and 120KB, and the malicious lpk.dll is between 7KB and 14KB.

Windows File Protection typically kicks in when system files are replaced, but in the case of these two phishers, WFP won’t be able to detect the change until our engine deletes the malicious versions. And in the case of Cassicant, the spy deliberately disables SFC, so if your PC has been infected with Cassicant, you might need to change a registry key (find the text “sfcdisable” on this page for details) before it’ll work at all.

Once you’ve re-enabled SFC, just type SFC /SCANNOW into the Run dialog and click OK. The program will do its thing, and may prompt you to insert your Windows CD to find the right replacement file. Once the replacement has been installed, reboot your system. Stability will be restored as easily as a knife cuts butter.